[jboss-jira] [JBoss JIRA] (ELY-553) Make use of realm events to handle OTP timeout updates

Mon May 30 19:13:00 EDT 2016

Farah Juma created ELY-553:
------------------------------

             Summary: Make use of realm events to handle OTP timeout updates
                 Key: ELY-553
                 URL: https://issues.jboss.org/browse/ELY-553
             Project: WildFly Elytron
          Issue Type: Feature Request
          Components: SASL
            Reporter: Farah Juma
            Assignee: Farah Juma

For the OTP SASL mechanism, we need to protect against race attacks, as described in [RFC 2289|https://tools.ietf.org/html/rfc2289#section-9.0]. The approach {{OTPSaslServer}} [currently takes|https://github.com/wildfly-security/wildfly-elytron/blob/master/src/main/java/org/wildfly/security/sasl/otp/OTPSaslServer.java#L135-L145] to defend against such attacks is the one suggested in RFC 2289, i.e., we prevent multiple simultaneous authentication sessions for a user. This means that once a legitimate user has started the authentication process, an attacker would be blocked until that first authentication process finishes. With this approach, a timeout is needed in order to prevent a denial of service attack. We could store the timeout info for a user via a {{RealmIdentity}} attribute as in [PR #277|https://github.com/wildfly-security/wildfly-elytron/pull/277]. We could then add support for a new event that indicates a timeout attribute change for a realm identity and then handle a {{TimeoutUpdateCallback}} by handling this new event.

--
This message was sent by Atlassian JIRA
(v6.4.11#64026)